Swiss Federal Audit Office SFAO

Audit of the effectiveness of incident management in protecting federal ICT from cyber-risks

2022 CH2022cyberIncidents
SCALE
  • - Confederation level
COMPLIANCE FOCUS
  • - Financial Control Act
  • - Data Protection Act
  • - Federal Information Protection Ordinance
  • - Ordinance on Protecting against Cyber Risks in the Federal Administration
  • - Digital Transformation and Informatics Ordinance
  • - National Strategy for the Protection of Switzerland against Cyber Risks 2018-2022
PERFORMANCE ASPECT
  • - information management
  • - harmonization of categorization
  • - effectiveness of communication

It is important that cyberincidents are reported immediately, to enable higher-level analysis and appraisal of the threat. This could allow the threat of a lateral spread across the entire Federal Administration to be contained or, at best, prevented. During the audit, the SFAO observed that communication with the NCSC needs to be expanded further. For example, horizontal management , especially the exchange of information between service providers, is not yet ensured in all areas.

The coordination/harmonisation of cyberincident categorisation also presents a challenge in cases where the incident affects more than one service provider. Where there is none, there is a risk that different service providers will assign different priorities to the same incident. Such a situation can also lead to inconsistent communication to third parties.

In the event of a cyberincident, it cannot be ascertained quickly which applications and services from which provider, and for which administrative unit, need attention. As a result, when an IT security incident at an external service provider is reported, the affected administrative units cannot be informed immediately, which increases the vulnerability of the Federal Administration in general. Therefore, the creation of an overarching inventory should be considered.

The IT security officers have an important role in the reporting of cyberincidents: as service users, they report cyberincidents to their service providers, who in turn inform the NCSC. However, since there are different levels of maturity depending on the size of the service user , not all officers have assigned a deputy. Thus, in the officer's absence, cyberincident reporting, and in turn the report to the NCSC, can be delayed.

The Federal Procurement Conference has drawn up a model contract clause on cyber-risks. The contractual provisions on information security are a step in the right direction. However, deadlines for reporting cyberincidents vary and would have to be defined in accordance with usual practice. Moreover, the clause would have to be renegotiated for longterm contracts.

Code (gexf) to continue analysis with GephiTerminology graph
svg
The items above were selected and named by the e-Government Subgroup of the EUROSAI IT Working Group on the basis of publicly available report of the author Supreme Audit Institutions (SAI). In the same way, the Subgroup prepared the analytical assumptions and headings. All readers are encouraged to consult the original texts by the author SAIs (linked).